Follow
Why #dnssec is so unpopular among large orgs? As someone who works for large orgs I have seen a number of excuses, none of them really valid.
First, large orgs are traditionally risk averse and since they routinely screw up on simple "mandatory" things like TLS cert renewals so any mention of "DNS outage due to expired key" makes them freak out and reject any proposals of "optional" controls that could go wrong.
@kravietz "because its hard"
Second, CTOs have the picture of manually keyed DNSSEC from 2000's (which was a nightmare) because this is when they usually stopped having hands-on experience with technology. They never heard about DNSSEC inline signing or ACME.
Third, large orgs frequently use "large" managed DNS providers, which suck at implementing "bleeding edge" technologies such as DNSSEC and IPv6. Or they will charge for them as "premium" features.